Email Is Under Attack. Here's How the World Is Responding

Phishing attackers are like a horde of medieval warriors (foggy battle scene)

Despite its near-ubiquity, email is under attack. Email’s core protocols make no provision for authenticating the identity of a sender. As a result, it is trivial for phishers to impersonate others: Your boss, your CFO, a trusted business partner, even government agencies.

Multiple studies have identified spear phishing as a primary attack technique used in the vast majority of security incidents, including account compromise, exfiltration, penetration, and more. Some data points:

  • Spear phishing plays a role in at least 90 percent of all cyber attacks, according to multiple reports. (A recent example: Phishing threats still dwarf vulnerabilities, zero-days.)
  • The cost of just one type of fake-email attack, the business email compromise (BEC) exceeded $12.5 billion from 2013 through mid-2018, according to the FBI.
  • BEC rates have continued to rise, growing 476% between between Q4 2017 and Q4 2018, according to a recent report from Proofpoint.
  • 60 percent of organizations said that their domains had been impersonated by email fraudsters in Q4 2018.

In the vast majority of spear phishing cases, identity deception is in play, with the sender using a faked From: address, a deceptive domain, or a spurious display name. We refer to all of these as impersonation attacks or fake emails.

In short, phishing via impersonation — fake email — is a core hacking technique. Relegating it to the category of “social engineering” or spam and giving it the virtual equivalent of a shrug is not a sufficient response.

The Standards-Based Solution

There is an answer to this phishing crisis: Domain-based email authentication. Standards-based authentication, using the five key standards of DMARC, SPF, DKIM, ARC, and BIMI, provides several critical features that email, as implemented by most domain owners, currently lacks.

One of those standards plays a keystone role. DMARC, when properly implemented and configured to an enforcement policy, ties together the others to provide complete authentication and fraud protection against exact-domain fakes.

When configured to an enforcement policy (quarantine or reject), DMARC provides protection against fake email. Anyone attempting to send email “as” a DMARC-enforced domain will not succeed unless they have been authorized by the owner of that domain — their messages will not reach end user inboxes.

DMARC can be supplemented with ARC, which provides a trusted chain of authentications, enabling messages to pass authentication checks even after being forwarded (e.g. by a mail list server or forwarding service provider).

Domain owners that have configured DMARC to an enforcement policy can use BIMI, an emerging standard that allows them to configure an image (such as a logo) that will appear alongside authenticated messages in end-user inboxes.

Valimail’s research shows that 75 percent of inboxes worldwide (5 billion in all) are behind mail gateways that do DMARC checks and enforce the domain owners’ policies if those policies exist. That includes 100 percent of the major U.S. inbox providers, such as Gmail, Outlook.com, Yahoo! Mail, and so on.

In other words: email authentication works. It is up to domain owners to take advantage of it.

Email Authentication Continues to Grow

Valimail’s most recent Email Fraud Landscape found that the use of email authentication has been growing steadily.

We examined the DMARC records published by thousands of companies worldwide, grouped into 11 different categories. For most of these categories we now have data covering more than a year.

The picture that emerges is clear: The use of email authentication is growing steadily in every industry sector — and much more rapidly in the federal government, where its use has been mandated.

Here’s a peek at the data:

The Q4 report includes a lot more data, including detailed drilldowns on a few of these sectors where we’ve seen standout growth (e.g. health care and technology).

The report also includes an analysis of how successful various industries are in implementing DMARC. It’s not enough to merely deploy a DMARC record, you must also configure it to a policy of enforcement if you want to be protected from fake email. Unfortunately, only about 20 percent of companies in most industries are successful at getting to DMARC enforcement.

Find out more in the full Valimail report: “Email Fraud Landscape, Q4 2018.”

Dylan Tweney is the VP of research and communications for Valimail. Formerly, Dylan was the founder of Tweney Media, a content-driven communications agency, whose clients included Samsung, Korn Ferry International, Upwork, YL Ventures, Bloomberg Beta, and Valimail.

Previous to that, he was the editor-in-chief of VentureBeat (2011-2015) and a senior editor at Wired (2007-2011).